On Wed, 09 Dec 2009 11:33:25 +0100, [email protected] <[email protected]> wrote:
http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html -- Eduardo
It seems it is not considered an issue for same-origin requests per that page and cross-origin requests are only dealt with in XMLHttpRequest Level 2 which requires strict per-header opt-in. Have you talked with implementors about this?
-- Anne van Kesteren http://annevankesteren.nl/
